The branch OpenSSL_1_1_1-stable has been updated via 0cd2ee64bffcdece599c3e4b5fac3830a55dc0fa (commit) via 30d190caf311d534867df97e26b552e628cb7d85 (commit) from d7b9a7a42d529ce44c5a4af49f6dee72f6619459 (commit)
- Log ----------------------------------------------------------------- commit 0cd2ee64bffcdece599c3e4b5fac3830a55dc0fa Author: Tomas Mraz <tm...@fedoraproject.org> Date: Wed Mar 25 14:18:13 2020 +0100 Document the revert of the proper reporting of an unexpected EOF Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11400) commit 30d190caf311d534867df97e26b552e628cb7d85 Author: Tomas Mraz <tm...@fedoraproject.org> Date: Wed Mar 25 14:15:31 2020 +0100 Partially revert "Detect EOF while reading in libssl" This partially reverts commit db943f43a60d1b5b1277e4b5317e8f288e7a0a3a. Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11400) ----------------------------------------------------------------------- Summary of changes: CHANGES | 7 +++++++ NEWS | 4 +++- crypto/err/openssl.txt | 1 - doc/man3/SSL_get_error.pod | 12 ++++++++++++ include/openssl/sslerr.h | 3 +-- ssl/record/rec_layer_s3.c | 6 ------ ssl/ssl_err.c | 4 +--- 7 files changed, 24 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index ac6777eae8..bfd072965f 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,13 @@ Changes between 1.1.1e and 1.1.1f [xx XXX xxxx] + *) Revert the change of EOF detection while reading in libssl to avoid + regressions in applications depending on the current way of reporting + the EOF. As the existing method is not fully accurate the change to + reporting the EOF via SSL_ERROR_SSL is kept on the current development + branch and will be present in the 3.0 release. + [Tomas Mraz] + *) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1 when primes for RSA keys are computed. Since we previously always generated primes == 2 (mod 3) for RSA keys, diff --git a/NEWS b/NEWS index 64722d5e92..056e46d137 100644 --- a/NEWS +++ b/NEWS @@ -7,12 +7,14 @@ Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [under development] - o + o Revert the unexpected EOF reporting via SSL_ERROR_SSL Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] o Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551) + o Properly detect unexpected EOF while reading in libssl and report + it via SSL_ERROR_SSL Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019] diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index f5324c6819..35512f9caf 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2852,7 +2852,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data -SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading SSL_R_UNEXPECTED_MESSAGE:244:unexpected message SSL_R_UNEXPECTED_RECORD:245:unexpected record SSL_R_UNINITIALIZED:276:uninitialized diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod index 97320a6c15..6ef6f7d4c5 100644 --- a/doc/man3/SSL_get_error.pod +++ b/doc/man3/SSL_get_error.pod @@ -155,6 +155,18 @@ connection and SSL_shutdown() must not be called. =back +=head1 BUGS + +The B<SSL_ERROR_SYSCALL> with B<errno> value of 0 indicates unexpected EOF from +the peer. This will be properly reported as B<SSL_ERROR_SSL> with reason +code B<SSL_R_UNEXPECTED_EOF_WHILE_READING> in the OpenSSL 3.0 release because +it is truly a TLS protocol error to terminate the connection without +a SSL_shutdown(). + +The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications +which choose to ignore this protocol error depend on the existing way of +reporting the error. + =head1 SEE ALSO L<ssl(7)> diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 0ef684f3c1..ba4c4ae5fb 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void); # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 # define SSL_R_UNEXPECTED_CCS_MESSAGE 262 # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178 -# define SSL_R_UNEXPECTED_EOF_WHILE_READING 294 # define SSL_R_UNEXPECTED_MESSAGE 244 # define SSL_R_UNEXPECTED_RECORD 245 # define SSL_R_UNINITIALIZED 276 diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 1c885a664f..b2a7a47eb0 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, ret = BIO_read(s->rbio, pkt + len + left, max - left); if (ret >= 0) bioread = ret; - if (ret <= 0 - && !BIO_should_retry(s->rbio) - && BIO_eof(s->rbio)) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N, - SSL_R_UNEXPECTED_EOF_WHILE_READING); - } } else { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, SSL_R_READ_BIO_NOT_SET); diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index a0c7b79659..4b12ed1485 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "unexpected ccs message"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA), "unexpected end of early data"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING), - "unexpected eof while reading"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},